Handbook of Operating Procedures > Series 700 Information Resources > 7.8.1 Medical and Scientific Devices

7.8.1 Medical and Scientific Devices

A. Purpose

The purpose of this policy is to outline the way with which medical devices must be acquired, operated, and decommissioned so that the privacy and security of patient information is upheld.

• Medical device acquisitions must be approved by parties identified on the Capital Expenditure Request(CER) form.
• Approval is contingent upon the medical device’s ability to fulfill the medical device data protection standards.
• All patient data must be removed from the medical device by IT before the device is decommissioned.

B. Persons Affected/Scope

• All medical devices operated by the University.
• Sometimes medical devices are connected to computers or external storage drives that are not considered components of the medical device by the FDA. In such cases, the computer or external storage must be treated as an Information Technology (IT) system and therefore becomes subject to all other IT policies (e.g., encryption, etc.).
• All data processed or stored on medical devices are considered University data and subject to University data protection standards and policies.

This policy addresses the privacy and security of patient data as they relate to medical devices. Safety, patient care, and all other concerns that are not related to the privacy and security of patient data are outside the scope of this policy.

C. Definitions

1. 510(k) Process: The 510(k) process applies to most Class II medical devices sold in the US and a small number of Class I and Class III devices as well.
2. Classification (FDA): Regulatory authorities recognize different classes of medical devices, based on their design complexity, their use characteristics, and their potential or harm if misused. Under the Food, Drug, and Cosmetic Act, the Food and Drug Administration recognizes three (3) classes of medical devices — Class I, Class II, and Class III, based on the level of control necessary to assure safety and effectiveness. The classification procedures are described in the Code of Federal Regulations, Title 21,part 860 (also known as 21 CFR 860). The USFDA allows for two (2) regulatory pathways that allow for the marketing of medical devices.
   1. 510(k) Process: The most common is the 510(k) process. A new medical device that can be demonstrated to be “substantially equivalent” to a previously legally marketed device can be “cleared” by the FDA for marketing as long as the general and special controls are met. The 510(k) pathway rarely requires clinical trials.
   2. Premarket Approval Process: The second regulatory pathway for new medical devices is the Premarket Approval process, which typically requires clinical trial
3. Device Categorization: For the purposes of this procedural document, the University assesses the risk of medical devices with a 510(k) FDA Classification II, and possibly Classification III levels of control, and then further categorizes the medical devices into the following University Medical Device Categories which are based on how a medical device handles data:
   1. Category I – device is not capable of storing PHI;
   2. Category II – device is capable of storing PHI;
   3. Category III - device is capable of storing PHI and is connected to the network; and
   4. Category IV – device is capable of storing PHI, is connected to the network, and is interfaced with an EHR or any systems (e.g., the device can upload and download PHI to and from an EHR or any other system).
   5. The University’s four-level device categorization standard will be the only categorization standard referenced below in this document.
4. EHR / EMR: Electronic health records (EHR) and electronic medical records (EMR) are digital versions of a paper chart that contains all of a patient’s medical history from one (1) practice used by health providers for diagnosis and treatment.
5. Medical Device: An instrument, machine, apparatus, implant, in vitro reagent, or similar or related article that is used to diagnose, prevent, or treat disease or other conditions, and does not achieve its purposes through chemical action, such as a drug or medication, within or on the body. Medical devices vary greatly in complexity and application. For the purposes of this policy, medical devices with a 510(k) classification are addressed.

D. Responsibility

1. Procurement Process: All 510(k) medical devices with the capability of processing, transmitting or storing patient data, whether procured or acquired via donation or other methods and regardless of asset cost or value, must be reported to the Purchasing Department for proper review, and scheduling of IT risk assessment prior to procurement and/or installation.
2. Physical Plant: Responsible for UTHSCT signature authority when purchasing a medical device. May also be consulted prior to acquisition of medical devices by Biomedical Services and Information Technology to evaluate the space and infrastructure needed to support and house the medical devices.
3. Accounting: Responsible for collecting asset information (e.g., manufacturer name, serial number, asset location, etc.) and for affixing asset tags to those new devices for inventory tracking purposes in accordance with State guidelines. Accounting should ensure asset tags remain both affixed to the devices and continue to be legible during the inventory review process.
4. Department Director: Responsible for approving medical device purchases at the department level.
5. Information Technology (IT): Responsible for ensuring medical devices have a completed risk assessment prior to connecting to a network. Ensure network connections for medical devices are documented and segmented in a manner that would restrict network access to unnecessary network attached devices.
6. Biomedical Services: Responsible for performing risk assessments of all 510(k) medical devices to determine each device’s 510(k) medical device categorization. Maintain inventory listing of medical devices, manage firmware/software updates, and implement secure configurations in accordance with Medical and Scientific Device Standard Operating Procedure (SOP). Notify the Compliance, Accounting, and Information Security Departments when a medical device that stores or interfaces with PHI can’t be located or changes department or physical address.
7. Information Security: Develop and implement a standardized risk assessment of medical devices considering device limitations, vulnerabilities, and impact of those devices that interface with PHI or are connected to the network. Perform vulnerability scans and inform Biomedical Services of findings. Follow the established process for retired, auctioned, or re-activated medical devices. Follow the established process for retired, auctioned, or re-activated medical devices.

E. Medical Device Data Protection Standards

Medical devices fall into four (4) categories depending on the way with which they handle patient data and interact with computer networks and systems.

Category I

• Category I includes medical devices that are unable to store PHI persistently on local media.
• Category I risks are minimal because there will be no PHI to be exposed when the device is missing or stolen.

Category II

• Category II includes medical devices that are able to store PHI persistently on local media but are unable to connect to the wired or wireless computer network.
• Category II risks include the unauthorized disclosure of PHI when the device is missing or stolen.
• Category II devices must be configured with encryption to protect against data disclosure or configured so that PHI is unable to accumulate beyond 100 records on the local media if encryption is not permitted by the manufacturer.

Category III

• Category III includes medical devices that are able to store PHI persistently on local media and are able to connect to the wired or wireless computer network but are unable to interface with the EHR or other patient care systems.
• Category III risks include the unauthorized disclosure of PHI when the device is missing or stolen and possible vulnerabilities in the operating system or the software that could allow a network attacker to compromise the security of the device.
• Category III devices must be configured with encryption to protect against data disclosure or configured so that PHI is unable to accumulate beyond 100 records on the local media if encryption is not permitted by the manufacturer. Security patches, anti-virus software, or in-line intrusion prevention system must be applied to Category III medical devices in order to mitigate the risk of network attacks.

Category IV

• Category IV includes medical devices that are able to store PHI persistently on local media, are able to connect to the wired or wireless computer network, and are able to interface with the EHR or other patientcare systems (e.g., download/upload PHI).
• Category IV risks include the unauthorized disclosure of PHI when the device is missing or stolen and possible vulnerabilities in the operating system or the software that could allow a network attacker to compromise the security of the device, which is especially important considering that these devices have access to the EHR and are able to import a large amount of PHI.
• Category IV devices must be configured with encryption to protect against data disclosure or configured so that PHI is unable to accumulate beyond 100 records on the local media if encryption is not permitted by the manufacturer. Security patches, anti-virus software, and an in-line intrusion prevention system must be applied to category VI medical devices in order to mitigate the risk of network attacks.

F. Exceptions

Exceptions will be considered on a case-by-case basis through contacting the Information Security Office. Proposed compensating controls that could aid during the exemption process beginning from the most effective to the least.

1. Encryption of the local media so that the data on the local media is protected in the event of theft or if the device is missing.
2. Automated technical controls that will prevent PHI from being stored on the device if encryption is not permitted by the manufacturer. PHI can be displayed on the device but never stored locally on the device. PHI can only be stored on a secured remote location (e.g., PACS image server, NAS, encrypted external drive, DICOM grid, etc.).
3. Automated technical controls that will cause the device to systematically erase PHI to prevent its accumulation beyond 100 records. Clinicians must back up the data they need to a secure location before its removal. PHI does not belong on – and must not accumulate on – an unsecured device.
4. Administrative controls that will require staff to manually remove PHI to mitigate the accumulation of PHI beyond 100 records on an unsecured device. Such controls must explicitly specify who will be doing what, how often, and how. These controls must be accompanied by monitoring controls to ensure that they are being followed by staff.
5. Physical controls that are specific to the device, such as strong cable locks and security bolts.
6. Physical controls that are specific to the secured areas in which the device is stored or operated, such as badge access, locked doors, etc.

G. Enforcement

Medical and scientific devices found to be in violation of this policy, or Medical and Scientific Device SOP, will be reported to both the Information Security and Compliance Department for a risk assessment. Additionally, medical devices found storing PHI and/or greater than 100 patient records may be removed from service until device remediation occurs.

H. References

• Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients
• Code of Federal Regulations, Title 21, part 860 (also known as 21 CFR 860)
• Medical and Scientific Device SOP
• Confidential Information Policy

I. Review Responsibilities and Dates

The Division Head for this Policy is the Chief Information Security Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.